Opened 11 years ago

Closed 11 years ago

#5760 closed (wontfix)

Use keyed hashing for session data, remove duplicate code

Reported by: Nir Soffer <nirs@…> Owned by: nobody
Component: contrib.sessions Version: 0.96
Severity: Keywords:
Cc: Triage Stage: Unreviewed
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no


Use hmac instead of md5 to create a digest of session data. Using hmac is probably more secure than the home built md5 implementation. Also, the current implementation uses hexdigest() when digest() is just fine.

While replacing the hash, extract the digest code to a new function to remove duplicate code.


  • Old session will be invalidated with this patch

Attachments (1)

session.patch (1.9 KB) - added by Nir Soffer <nirs@…> 11 years ago.

Download all attachments as: .zip

Change History (2)

Changed 11 years ago by Nir Soffer <nirs@…>

Attachment: session.patch added


comment:1 Changed 11 years ago by Malcolm Tredinnick

Resolution: wontfix
Status: newclosed

I don't think the churn is worth it here, since invalidating existing sessions is a little annoying. If somebody constructs a string that collides with our MD5 hash, there's not a lot they can do, since they really need the right string to be able to work out what's in the session. MD5 is vulnerable to collisions, not reverse-engineering.

Note: See TracTickets for help on using tickets.
Back to Top